Security Incidents mailing list archives
Wierd Logs
From: Rick Harris <rharris () DARKFLAME NET>
Date: Mon, 28 Aug 2000 11:00:10 -0500
Incidents, I have seem some very strange things in my PIX logs and I wanted to see if someone could shed some light on this. I have repeatedly tested and cannot reproduce this attack. The logs state 305005: No translation group found for tcp src inside:246.89.253.41/27849 dst outside:200.254.60.200/8755 305005: No translation group found for tcp src inside:62.195.36.140/27082 dst outside:200.254.60.200/8763 305005: No translation group found for tcp src inside:33.188.240.89/57477 dst outside:200.254.60.200/8770 305005: No translation group found for tcp src inside:201.243.53.18/25288 dst outside:200.254.60.200/8778 This is a small piece of the logs, and this attack went on for several hours, The PIX is configured for NAT and to only allow outbound connections. and NONE of these addreses are in our address space at all. I have tracked the origin of the attack back and dealt with it there , but I am still unsure of what/how allowed them to bring down the network behind the PIX. I have tried Smurf/Tribe floods , spoofing src addreses, anything I could things of , but I could not duplicate this. (of course that could also be the result of dealing with it for 26 hours :) I could not get the dst address to be wrong. Anyway can someone shed some light here... Thanks ! Off to sleep Rick
Current thread:
- Wierd Logs Rick Harris (Aug 28)
- <Possible follow-ups>
- Re: Wierd Logs Otto Peltomaa (Aug 28)
- Re: Wierd Logs Robert Collins (Aug 30)